Share this Page

7 Security Threats in the Cloud

Top threats to the security of your cloud-based computing—and what you can do about them.

By Adam Swidler

12/01/10

In a report issued this past year, the Cloud Security Alliance (CSA), a nonprofit organization formed in 2008 to promote the use of best practices for providing security assurance within cloud computing, identified the “top threats” of security and compliance risk for cloud computing. In this article, we summarize these threats and offer examples of them, as well as provide recommendations for remediation. To read the full report, you can download “Top Threats to Cloud Computing V1.0” at cloudsecurityalliance.org/topthreats.

WebExtras

If you are new to cloud computing, see Cloud Computing 101 to help you better understand the terminology and concepts discussed below.

1) Abuse and Nefarious Use of Cloud Services

Essentially these are the “bad guys” who use cloud computing resources and applications to further the reach and impact of their activities. Because cloud services provide nearly “frictionless” registration processes where users can register and immediately begin using the service, spammers, malicious code writers, and other criminals can take advantage to operate with very little chance of detection. Infrastructure as a service (IaaS) and platform as a service (PaaS) technologies can be used to execute distributed denial of service (DDoS) attacks, password and CAPTCHA cracks, as well as host botnet command and control capabilities. Software as a service (SaaS) technologies can be used to send spam e-mails at significant volumes.

Examples: IaaS services have hosted the Zeus botnet, the InfoStealer Trojan horse, and numerous Microsoft Office and Adobe PDF exploits. Webmail services have been exploited by spammers to send large amounts of spam.

Remediation: Cloud providers must implement stricter registration and validation processes, including enhanced credit card fraud detection and prevention. Providers must also aggressively and proactively monitor their own network traffic to spot patterns that are indicative of abuse. Finally, the CSA suggests proactive monitoring of public blacklists to ensure that a provider’s address is not being blocked.

Additional references:

The Malware Domain List website maintains a list of domains that are known to host malware: malwaredomainlist.com.

A blog post on ZDNet details how Amazon’s cloud computing service has been used as part of a botnet: blogs.zdnet.com/security/?p=5110.

Cloud computing providers use APIs to allow customers to interact with the services. These interfaces are used to perform functions such as provisioning, management, authentication, monitoring, access control, and others, and they must be designed with protection from both accidental and malicious compromise. In addition, third parties often build value-added services upon APIs, which they then offer to their customers. This creates a layered API with increased complexity and can increase risk.

Examples: Cleartext authentication or transmission of data, anonymous access, reusable passwords, improper authorizations, and API dependencies are some examples of this threat.

Remediation: Customers must analyze the security model of the cloud service interfaces. In addition, customers should verify that strong authentication methods are used together with encrypted transmissions. Finally, there is a need to understand the dependencies that are associated with an API.

Additional references:

An API directory and programming resources are available at programmableweb.com.

While the risk of an insider behaving with malicious intent is known, the threat is potentially increased for cloud services. The presence of multiple customers’ data, all hosted with a cloud provider, could make that provider an attractive target for hobbyist hackers, organized crime, corporate espionage, etc. In addition, cloud providers may not offer visibility into how employees are granted access to physical or virtual assets, how they monitor employee actions, and how they analyze and report on policy compliance.

Remediation: Cloud customers are advised to enforce strict supply chain management practices and conduct comprehensive supplier assessments, including the cloud provider’s hiring practices and policies. Further, human resource requirements can be specified in service contracts. Customers should require transparency into overall information security practices and compliance reporting of the provider. Customers also should work with the providers to understand the security breach notification process.

Shared infrastructure is how IaaS vendors deliver their services in a highly scalable fashion. In some cases, the underlying components (GPUs, CPU caches, etc.) were not designed to offer strong isolation capabilities for a multi-tenant deployment. Virtualization hypervisors can address much of these issues. However, even hypervisors have displayed vulnerabilities that have enabled inappropriate control or influence on the underlying systems.

Examples: Some examples of these risks include security researcher Joanna Rutkowska’s Red and Blue Pill exploits and the Cloudburst tool developed by Kostya Kortchinsky, all of which highlight potential vulnerabilities and exploits in virtualization technologies.

Remediation: Cloud providers should have an in-depth defense strategy that includes computer-, storage-, and network-security enforcement and monitoring. Strong compartmentalization should be used to ensure that individual customers do not impact other tenants on the shared infrastructure. Providers need to monitor their environments for unauthorized access, changes, and activity. The use of strong authentication methods, vulnerability scanning, and configuration audits is also recommended. Finally, service level agreements (SLAs) for patching and vulnerability remediation can also reduce risk.

Data loss or leakage is a risk that is common to cloud vs. on-premise architectures. Deleting or altering records without backups of the originals or delinking records from their larger context can make that data unrecoverable.

Remediation: To protect against these risks in the cloud, providers should encrypt data in transit; implement strong API access control; analyze data protection at design as well as run time; and/or implement strong key generation, storage, and management and destruction practices. Cloud customers can seek contractual commitments from cloud providers to wipe persistent media before it is released back into service and to specify backup and retention strategies.

Additional references:

The Sidekick data outage of 2009 is chronicled here: en.wikipedia.org/wiki/Microsoft_data_loss_2009.

Phishing, fraud, and exploitation of vulnerabilities can lead to account access being compromised. Attackers that gain access to your credentials can eavesdrop on your activities and transactions, manipulate data, return false information, and redirect your users to illegitimate sites. Your account can become a base for continued attacks.

Remediation: Cloud customers should prohibit the sharing of account credentials among users and across services. Where possible, customers should leverage two-factor authentication methods. They should also understand cloud providers’ security policies and SLAs. Cloud providers should employ proactive monitoring to detect unauthorized activity.

Cloud computing offers significant potential for reduced cost, simplified IT infrastructures, and improved IT efficiency. Software versions, updates, security practices, vulnerability profiles, intrusion attempts, and security design are all factors for estimating your institution’s security posture. In some of these areas, cloud computing solutions may offer different levels of visibility compared to their on-premise counterparts. This can contribute to making it harder to “calculate” a risk profile. In reality, all infrastructures have some unknown risks.

Remediation: Cloud providers can help reduce the unknowns by disclosing applicable logs and data and by providing a partial or full disclosure of infrastructure details (e.g., patch levels, firewalls, etc.). Monitoring and proactive alerts and notifications can also help reduce this risk.